1

Table of Contents
Information security ................................................................................................................................. 2
Attacks and Vulnerabilities ...................................................................................................................... 2
SPAMMING ............................................................................................................................................... 3
VIRUSES .................................................................................................................................................... 3
DENIAL OF SERVICE ATTACKS .................................................................................................................. 3
PASSWORD GUESSING ............................................................................................................................. 3
WORMS..................................................................................................................................................... 4
BACKDOOR ............................................................................................................................................... 4
SWEEPER ................................................................................................................................................... 4
SNIFFERS ................................................................................................................................................... 4
PACKET ...................................................................................................................................................... 4
IP ............................................................................................................................................................... 4
TROJAN HORSES ....................................................................................................................................... 5
Anatomy of an Attack .............................................................................................................................. 5
Awareness and Management Commitment to Security ......................................................................... 6
Security Policy .......................................................................................................................................... 7
Define Security Policy............................................................................................................................... 8
Confidentiality .......................................................................................................................................... 8
Integrity .................................................................................................................................................... 8
Availability ................................................................................................................................................ 9
Accountability........................................................................................................................................... 9
Assurance.................................................................................................................................................. 9
Enforcement ............................................................................................................................................. 9
Create Plan for Security Policy ............................................................................................................... 10
INFOSEC Network Architecture Design Rules........................................................................................ 10
Physical Separation 1. Restrict access: .................................................................................................. 11
2. Single network segment..................................................................................................................... 11
3. Use a switch ........................................................................................................................................ 11
5.2 LOGICAL SEPARATION ...................................................................................................................... 12
Logical Network Separation: .................................................................................................................. 12
5.3 FIREWALL ARCHITECTURE ................................................................................................................ 13
2

MODEM SERVER NETWORK ARCHITECTURE......................................................................................... 13

VIRTUAL PRIVATE NETWORK SECURITY ................................................................................................ 14
SUBSTITUTION TECHNIQUES.................................................................................................................. 14
Caesar cipher (or) shift cipher ................................................................................................................ 14
DATA ENCRYPTION STANDARD (DES).................................................................................................... 14
RSA Public-Key Cryptosystem ....................................................................................................... 14
RSA Example · .................................................................................................................................... 15

Information security
Information Security requirements have changed in recent times
Traditionally provided by physical and administrative mechanisms
Computer use requires automated tools to protect files and other stored information
Use of networks and communications links requires measures to protect data during
transmission
 Computer Security - generic name for the collection of tools designed to protect
data and to thwart hackers
 Network Security - measures to protect data during their transmission
 Internet Security - measures to protect data during their transmission over a
collection of interconnected networks
 Information Security: the state of being protected against the unauthorized use of
information, especially electronic data, or the measures taken to achieve this.
 our focus is on Information Security
 which consists of measures to deter, prevent, detect, and correct security
violations that involve the transmission & storage of information
Attacks and Vulnerabilities
 any action that compromises the security of information owned by an
organization
 information security is about how to prevent attacks, or failing that, to detect
attacks on information-based systems
 often threat & attack used to mean same thing
 have a wide range of attacks
 can focus of generic types of attacks
3

 passive
 active
SPAMMING
 Spamming consists of an identified or unidentified source sending bulk mail to
your site.
 In the nonmalicious form it consists of sending bulk advertising mail to many
accounts at your site consistently, even multiple times a day.
 In the malicious form (e.g., email bombing) it consists of an attacker sending
bulk mail until your mail server runs out of disk space.
 This type of attack consumes part or all of the communications bandwidth to your
site and attempts to deny service to your mail server by keeping it busy and filling
up its disk space.
VIRUSES
 Computer viruses are compact packages of software that require a host (i.e., the
computer) in order to replicate and possibly cause damage.
 Viruses can attack any part of a computer’s software such as its boot block,
operating system, file allocation (FAT) tables, EXE files, COM files and
application program macros.
 Boot block viruses replace the boot block with virus code and relocate it to
another disk location where data may be overwritten at that location.
 EXE and COM file viruses insert or append the virus code into these files
DENIAL OF SERVICE ATTACKS
Denial of service – Prevents or inhibits the normal use or management of
communication facilities. Another form of service denial is the disruption of an entire
network, either by disabling the network or overloading it with messages so as to
degrade performance. It is quite difficult to prevent active attacks absolutely, because to
do so would require physical protection of all communication facilities and paths at all
times. Instead, the goal is to detect them and to recover from any disruption or delays
caused by them.

PASSWORD GUESSING
 Most hackers gain illegal entry into remote computer systems by guessing
passwords.
 It is surprising that so many system accounts have weak passwords. Most
hackers gain access by guessing people’s passwords using common names or
combinations of letters.
 Also, password generation programs are commonly used that create passwords,
usually a dictionary word, to try to gain access.
4

 If access is denied, another password is generated and the process is repeated.

 These password generation programs first try common words such as names,
planets, places, etc.
WORMS
 Once inside a computer, a hacker can place a program called a worm that self-
replicates.
 Worm programs keep growing larger until disk space or memory is filled.
 These programs seek out unused resources and then consume them.
BACKDOOR
 Once a hacker breaks into a system, code can be inserted somewhere on the
system to create a secret backdoor that allows unauthorized access.
 The hacker may deposit a program on the system that allows backdoor access at
will.
 Alternatively, the hacker can create his own innocuous looking account that
provides access to the system.
SWEEPER
 Hackers may use a program called a sweeper that sweeps (i.e., deletes) all data
from the system.
SNIFFERS
 Sniffers are programs that monitor network traffic (i.e., packets) and can gather
useful information that can be used in an attack.
 Hackers use sniffers to capture the first few hundred bytes of telnet, ftp, and
rlogin sessions in order to obtain clear text passwords and other useful packet
information.
 Once a single computer is compromised and a sniffer is installed, then all the
remaining machines on the network can be compromised.
PACKET FORGE SPOOFING
 This is a form of attack that involves the subtle alteration of data in a packet.
 A sophisticated hacker may be able to alter the data effectively in order to do
damage to the intended target.
 This usually results in the receipt of wrong information (i.e., misinformation) that
was modified by the hacker.
 From the attacker’s point of view it is better to give the recipient the wrong
information rather than no information.
IP SPOOFING
5

 A SYN flood attack is a form of internet protocol (IP) spoofing that exploits the
three-way handshake in the TCP/IP protocol that initiates every IP connection.
 This form of attack allows a hacker to fake his identity by sending SYN packets
with a spoofed source address to a destination host.
 The destination host sends a SYN-ACK packet to the unsuspecting host with the
spoofed address.
 The destination host waits 5 1 Meinel, C., “How Hackers Break In…”, Scientific
American, October 1998, pp. 98-105. for an ACK until there is a time-out.
 The destination machine connection buffer fills with incomplete connections until
it stops accepting new connections.
 In another variation of this type of attack, the hacker probes a computer’s ports.
 When an active port is found, the hacker sends multiple SYN packets to discover
the sequence numbers of returning ACK/SYN packets.
 Another SYN packet that impersonates a trusted computer is sent by the hacker
followed by an ACK with the correct sequence number, thus establishing a
connection to the computer.
 The computer will transmit information to the hacker since it believes the
connection is to a trusted host1 .
TROJAN HORSES
 Trojan horses are software codes that enter the computer system through the
front door.
 This type of software is embedded in a program or utility that the user believes to
be harmless, such as a text editor or useful utility program.
 These programs are obtained voluntarily by the user to help with some task or
problem.
 When the program is used, it then performs some malicious function such as
deleting or copying files to another computer
Anatomy of an Attack
 This section provides an example of how a hacker might discover information
and gain access to a network
 An attack on your system can come from either inside or outside your
organization.
 Protecting your systems only from external attack may be a fatal flaw in your
security
 policy.
6

 Most attacks, however, do come from the outside by either experienced hackers
or inexperienced, newly budding hackers and take place during the night when
risk of detection is low.
 Describing this process should enlighten the reader to the clever methods that
may be employed by a hacker to gain access to your systems and network.
Awareness and Management
Commitment to Security
 The first step in implementing information security is to create a security policy.
 Before creating a security policy, however, an organization’s management must
consider arguments for the security risks: how security breaches may impact
business, such as the reputation of the company if it is hacked (negative
publicity), and the potential financial risk that is at stake.
 Also, some businesses, such as healthcare, will need to implement information
security because it is required by law.
 If the risks to the organization are not perceived as high, or are not believable,
then you will not be able to effectively enforce or maintain your security policy.
 Much of the time management is simply not aware of the risks or does not fully
understand them. They may not believe the organization is vulnerable to attack
for some reason.
 Managers of small companies, for example, tend to downplay security risks.
 I have found a general lack of management awareness of security risks at all
levels and types of organizations.
 Security at best is perceived as a necessary evil and at worst is seen as a costly
and undesirable intrusion.
 It must be seen as an integral part of an organization’s overall business strategy.
 Security risks must be translated in the minds of managers to financial loss,
either through lost business, reduced productivity, lost data, revealed corporate
secrets or compromised integrity.
 The threat by hackers must be perceived as real.
 Examples of recent hacker attacks on similar organizations may need to be
presented to management, to get their attention.
 If management does not agree to establish and enforce a security policy, then
your enhancements to security may not stop your high-risk threats.
 The high-risk threats and the cost of mitigating these threats must be presented
accurately and fully.
 Only then can management make a good decision.
7

 Since management may need to be educated as to the reality of the threat and
its impact on the organization, the most potent argument is to clearly define the
financial risks.
 It may be necessary to hire a third party to do the vulnerability analysis, as this
often
 has a stronger impact with management.
Security Policy
 Establishing a security policy is the starting point in designing a secure computer
network.
 It is essential that a set of minimum security requirements be gathered,
formalized and included as the basis of your security policy.
 This security policy must be enforceable by your organization and will create an
additional cost to running and monitoring your network.
 This additional cost/benefit of a security policy must be understood and
embraced by your organization’s management in order to enhance and maintain
network and system security.
 The lack of an accepted and well-thought-out security policy and guidelines
document is one of the major security vulnerabilities in most companies today.
 This section discusses several Best Practices related to the production of such a
document.
 In addition, a generic security policy is provided in Appendix B and also on the
accompanying CDROM.
 The importance of a meaningful security policy cannot be overemphasized.
 Perform a threat analysis and risk analysis for your organization to determine the
level of security that must be implemented.
 First, identify all the threats to your computers and network;
 second, determine threat categories;
 third, perform the risk assessment; and,
 fourth, recommend action.
 Risk assessment should be performed by constructing a “consequence” matrix
vs. “likelihood” matrix3 as shown in
 Figure 4-1.
8

Define Security Policy

 Define a security policy for the entire site and use it as a guide for the network
security
 architecture.
 Define a policy that includes sections for confidentiality, integrity, availability,
accountability, assurance, and enforcement, as described in the following
paragraphs
 The policy should address as much as possible of what is included in these
sections according to risk and
 affordability.
Confidentiality
 The system must ensure the confidentiality of sensitive information by controlling
access to information, services, and equipment.
 Only personnel who have the proper authorization and need to- know can have
access to systems and data.
 The system must include features and procedures to enforce access control
policies for all information, services, and equipment comprising the system.
Integrity
 The system must maintain the integrity (i.e., the absence of unauthorized and
undetected modification) of information and software while these are processed,
stored and transferred across a network or publicly accessible transmission
media.
 Each file or data collection in the system must have an identifiable source
throughout its life cycle.
 Also, the system must ensure the integrity of its mission-critical equipment.
9

 Automated and/or manual safeguards must be used to detect and prevent

inadvertent or malicious destruction or modification of data.
Availability
 The system must protect against denial of service threats.
 Protection must be proportionate to the operational value of the services and the
information provided.
This protection must include protection against environmental threats such as loss of
power and cooling
Accountability
 The system must support tracing of all security relevant events, including
violations and attempted violations of security policy to the individual subsystems
and/or users including external connections.
 The system must enforce the following rules:
 1. Personnel and systems connecting to the system must be uniquely identifiable
to the system and must have their identities authenticated before being granted
access to sensitive information, services, or equipment.
 2. Each subsystem handling sensitive or mission-critical information must
maintain an audit trail of security relevant events, including attempts by individual
users or interfacing subsystems to gain access through interfaces not authorized
for that particular purpose.
 This audit trail must be tamper-resistant and always active.
Assurance
 The criticality and sensitivity of the information handled, equipment and services,
and the need-to-know of personnel must be identified in order to determine the
applicable security requirements.
 The security implementations chosen must provide adequate security protection
commensurate with the criticality of the data, in accordance with the security
policy.
Enforcement
 The security policy must be enforced throughout the life cycle of the system.
 All implementations of system security functions including those implemented at
the subsystem level must be evaluated to ensure that they adequately enforce
the requirements derived from the security policy.
 Each platform must be evaluated to ensure that the installed system
configuration enforces the stated security
 policy.
10

 As a result of this evaluation, an assessment of the vulnerability can be

generated.
 This assessment must be evaluated by the security manager or system
administrator to decide if any modifications to the system must be made so that it
complies with the security policy.
 Security best practices must be employed throughout the life cycle of a system to
ensure continued compliance with the stated security policy.
 New system projects must have information security representatives during the
planning and preliminary design stages in order to implement security into the
design.
Create Plan for Security Policy
 Create a plan for implementing your security policy.
 Once a security policy is established, an implementation plan should be created.
 Incremental, staged infrastructure improvements and new hires (if any) will help
management plan for expenses and create a timetable for implementation.
 The implementation plan should include the following steps:
 1) Defining implementation guidelines. These guidelines should specify the
personnel to receive security alarms and what action is to be taken, chains of
command for incident escalation, and reporting requirements.
 2) Educating staff, customers, etc. about the security policy.
 3) Purchasing any needed hardware/software and hiring any needed personnel.
 4) Installing and testing equipment/software.
INFOSEC Network
Architecture Design Rules
 If you are installing a large network, then you may have to create more than one
network segment.
 Practically, if there are a very large number of nodes on an Ethernet network,
then separate physical networks must be created.
 These separate networks can be connected together via a router.
 Such a large network space increases the risk of network security problems.
 Therefore, traffic between separate networks must be restricted only to those
systems that need to access data.
 This limited access will decrease the number of users that may compromise each
separate physical network.
11

Physical Separation
1. Restrict access:
 Restrict access between separate physical networks via a filtering router.
 A filtering router must be used to restrict access between network segments.
 Filtering routers or packet-screening routers control the flow of IP packets
between two or more network segments based on a set of rules as shown in
Figure 5-1.
 A filtering router has the ability to filter IP traffic using filtering rules.

2. Single network segment

 When there is more than one physical network segment, connect
information systems that need to be universally accessible within an
organization on a single network segment.
 By placing all servers that need to be universally accessible across multiple
networks onto a single network segment, users from separate networks can have
access to these common systems without opening their own networks to inter-
segment traffic.
 This network access control can be done at the router that connects the
individual networks.
 If performance becomes a problem on the common shared network segment,
upgrade the segment to a higher bandwidth.

3. Use a switch
 Use a switch to isolate traffic between servers, groups of users, and
departments.
 Use a switch to separate traffic between servers and departments within an
organization in order to prevent the unnecessary flow of network traffic
throughout an organization.
12

 Therefore, if a hacker or internal user starts to monitor the network from a

specific PC, then he or she will only have a restricted view of all the packets that
are travelling along that specific segment.
5.2 LOGICAL SEPARATION
 Another method of restricting access within a single network is to divide the
network into separate logical partitions.
 Each logical partition appears as a separate network, has a separate user
accounts database, and has a preconfigured trust relationship between other
logical network
 partitions.
 Access to resources within a logical network partition is controlled by each
domain administrator.
 Separating the network logically also restricts users from having universal access
to all resources on the network and thereby increases information and network
security.
 Typically, one logical network will not be able to access some resources on
another logical network unless there is a trust relationship set up between the
networks.
 The downside is that it requires more work to administer the separate logical
partitions.
 Dividing the network into too many partitions can be inefficient, make it difficult to
administer the network, and add more complexity to the network and network
security.
 Typically, there should be a logical separation between large departments or
large
 groups of users.
 For example, the MIS department may want to have its own logical partition
since they need to restrict access to their computers from the general population
and would like to have control over additional security on their network.
 As a practical matter, however, it is much easier to manage a network with a
single logical partition having a single accounts database.
Logical Network Separation:
1. Set up logical network separation where you want to increase network
security for a group of users.
2. Set up one or more servers to belong to each logical network partition.
3. Each set of users will be authenticated by a single server in each logical
partition and have access only to those resources within it.
13

4. Logical separation will restrict access to servers by users belonging only to

that logical partition and thereby increase security within a single network.
5.3 FIREWALL ARCHITECTURE
 Securing your network from the internet and other external communication links
requires that your site have a firewall that properly isolates the external network
from your internal network.
 A firewall is a device or collection of devices and software that securely connects
a trusted network with an untrusted or public network.
 Packets must flow past the firewall and be controlled by the firewall by a set of
rules that authorize packets to pass between the two networks.
 Rules are set up at the firewall to enforce the site’s security policy.
 It is absolutely necessary that your organization’s internal network be protected
from an external public network such as the internet.
 The internet is a public network which operates using the TCP/IP protocol.
 There are millions of connected machines on the network capable of sending
mail via SMTP, logging into a computer via telnet, transferring files via FTP, and
doing web browsing using HTTP.
 Connecting to the internet essentially merges your network with the large internet
network.
 In order to be connected your site must establish a connection with an internet
service provider (ISP).
 Connections are established by a leased line, phone line or cable line to the
service provider using a modem and for higher speed applications a modem and
router (e.g., operating at 56Mbps, 128Mbps, 256Mbps, T1 or some speed in
between.).
MODEM SERVER NETWORK ARCHITECTURE
 A modem is used for dialing into an organization from remote locations during
travel or from home.
 A connection is established when a user dials in over a phone line to a modem in
order to connect to a computer, logon, and access some internal application or
service.
 Some users may also use modems to establish a dial-out connection to an
external computer.
 These types of connections are decreasing because of the internet.
 Do not allow any modems on individual machines.
 Locate modem servers on the internal network.
14

VIRTUAL PRIVATE NETWORK SECURITY

 Use a Virtual Private Network (VPN) over the internet between two sites in
place of a leased line connection for less sensitive site-to-site
communications.
 Use hubs to isolate traffic in order to make it more difficult for hackers to
perform sniffing of the network.
SUBSTITUTION TECHNIQUES
A substitution technique is one in which the letters of plaintext are replaced by
other letters or by numbers or symbols. If the plaintext is viewed as a sequence of bits,
then substitution involves replacing plaintext bit patterns with cipher text bit patterns.
Caesar cipher (or) shift cipher
The earliest known use of a substitution cipher and the simplest was by Julius
Caesar. The Caesar cipher involves replacing each letter of the alphabet with the letter
standing 3 places further down the alphabet. e.g., plain text : pay more money Cipher
text: SDB PRUH PRQHB Note that the alphabet is wrapped around, so that letter
following „z‟ is „a‟. For each plaintext letter p, substitute the cipher text letter c such that
C = E(p) = (p+3) mod 26 A shift may be any amount, so that general Caesar algorithm
is C = E (p) = (p+k) mod 26 Where k takes on a value in the range 1 to 25. The
decryption algorithm is simply: P = D(C) = (C-k) mod 26
DATA ENCRYPTION STANDARD (DES)
In May 1973, and again in Aug 1974 the NBS (now NIST) called for possible encryption
algorithms for use in unclassified government applications response was mostly
disappointing, however IBM submitted their Lucifer design following a period of redesign
and comment it became the Data Encryption Standard (DES).
one of the largest users of the DES is the banking industry, particularly with EFT, and
EFTPOS it is for this use that the DES has primarily been standardized, with ANSI
having twice reconfirmed its recommended use for 5 year periods - a further extension
is not expected however although the standard is public, the design criteria used are
classified and have yet to be released there has been considerable controversy over the
design, particularly in the choice of a 56-bit key · recent analysis has shown despite this
that the choice was appropriate, and that DES is well designed · rapid advances in
computing speed though have rendered the 56 bit key susceptible to exhaustive key
search, as predicted by Diffie & Hellmanthe DES has also been theoretically broken
using a method called Differential Cryptanalysis, however in practice this is unlikely to
be a problem (yet).
RSA Public-Key Cryptosystem
best known and widely regarded as most practical public-key scheme was proposed by
Rivest, Shamir & Adleman in 1977: R L Rivest, A Shamir, L Adleman, "On Digital
Signatures and Public Key Cryptosystems", Communications of the ACM, vol 21 no 2,
pp120-126, Feb 1978 · it is a public-key scheme which may be used for encrypting
messages, exchanging keys, and creating digital signatures · is based on
exponentiation in a finite (Galois) field over integers modulo a prime o nb exponentiation
15

takes O((log n)3 ) operations · its security relies on the difficulty of calculating factors of
large numbers o nb factorization takes O(e log n log log n) operations o (same as for
discrete logarithms) · the algorithm is patented in North America (although algorithms
cannot be patented elsewhere in the world) o this is a source of legal difficulties in using
the scheme · RSA is a public key encryption algorithm based on exponentiation using
modular arithmetic · to use the scheme, first generate keys: · Key-Generation by each
user consists of: o selecting two large primes at random (~100 digit), p, q o calculating
the system modulus R=p.q p, q primes o selecting at random the encryption key e, o e <
R, gcd(e, F(R)) = 1 o solving the congruence to find the decryption key d, o e.d
[[equivalence]] 1 mod [[phi]](R) 0 <= d <= R o publishing the public encryption key:
K1={e,R} o securing the private decryption key: K2={d,p,q} · Encryption of a message M
to obtain ciphertext C is: · C = Me mod R 0 <= d <= R · Decryption of a ciphertext C to
recover the message M is: o M = Cd = Me.d = M1+n.[[phi]](R) = M mod R · the RSA
system is based on the following result: if R = pq where p, q are distinct large primes
then X [[phi]](R) = 1 mod R for all x not divisible by p or q and [[Phi]](R) = (p-1)(q-1)
RSA Example ·
usually the encryption key e is a small number, which must be relatively prime to
[[phi]](R) (ie GCD(e, [[phi]](R)) = 1) ·
typically e may be the same for all users (provided certain precautions are taken), 3 is
suggested ·
the decryption key d is found by solving the congruence:
e.d [[equivalence]] 1 mod [[phi]](R), 0 <= d <= R, ·
an extended Euclid's GCD or Binary GCD calculation is done to do this.
given e=3, R=11*47=517, [[phi]](R)=10*46=460
then d=Inverse(3,460) by Euclid's alg:
iyguv
0 - 460 1 0
1-301
2 153 1 1 -153
3 3 0 -3 460
ie: d = -153, or 307 mod 517 ·
a sample RSA encryption/decryption calculation is:
M = 26 C = 263 mod 517 = 515 M = 515307 mod 517 = 26